ninja.exe

Ninja Pendisk!

Nuno Brito

The application ninja.exe, “Keep your computer safe from infected pendisks” has been detected as a potentially unwanted program by 4 anti-malware scanners. The file has been seen being downloaded from gsf-cf.softonic.com and multiple other hosts. While running, it connects to the Internet address reboot.pro on port 80 using the HTTP protocol.
Publisher:
Nuno Brito

Product:
Ninja Pendisk!

Description:
Keep your computer safe from infected pendisks

Version:
1.6.0.0

MD5:
2e009dda8a1aed47f481da34deaf62ab

SHA-1:
05a0c42c1a0f78ef3936ef58e37844e795e1ff3f

SHA-256:
f5e182f93c87daf3a75c77d5c97148887c00367bbc18ffc738e6095ddb843eb7

Scanner detections:
4 / 68

Status:
Potentially unwanted

Analysis date:
12/24/2024 3:59:52 AM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.Clod052.Trojan
1.3.0.4613

MicroWorld eScan
Adware.Lop
14.0.0.1068

Reason Heuristics
Unnamed.Threat.17
14.3.3.11

VIPRE Antivirus
Trojan.Win32.Generic
25094

File size:
746.5 KB (764,416 bytes)

Product version:
1.6

Copyright:
Nuno Brito (c) 2008

Trademarks:
"ninja pendisk!" is a registered trademark from Nuno Brito

Original file name:
ninja.exe

File type:
Executable application (Win32 EXE)

Language:
Portuguese (Portugal)

Common path:
C:\Program Files\ninja\ninja.exe

File PE Metadata
Compilation timestamp:
6/20/1992 3:52:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:+YPYNu5XYyNi+12k/iL2f5F5w3wyH4wQOlpMnrl0lZanC:+YPuu5olM2ko235w3EwVHl

Entry address:
0x16CCE0

Entry point:
60, BE, 00, B0, 50, 00, 8D, BE, 00, 60, EF, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89...
 
[+]

Entropy:
6.1913

Packer / compiler:
UPX 2.90LZMA]

Code size:
392 KB (401,408 bytes)

The file ninja.exe has been seen being distributed by the following 8 URLs.

http://gsf-cf.softonic.com/05a/0c4/.../file?SD_used=0&channel=WEB&fdh=no&id_file=77335&instance=softonic_es&type=PROGRAM&Expires=1474347607&Signature=TyStdFgqICbKqTl1zoUyK9pJWthZ7xx4XdYbNWEQRENE4t4GKzESlACaynXqLA9RkcfyKD3G55p13lcZdZ~bBaMNnuCy4FclPkyOSawEzypp5szyJEdX4e6M58XdM6cBxpwO296-eogkHPYYt0lpMyP5k36O~7lBRH2PKGnQnow_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=ninja-1.8.exe

http://gsf-cf.softonic.com/710/51b/.../file?SD_used=0&channel=WEB&fdh=no&id_file=77335&instance=softonic_en&type=PROGRAM&Expires=1459188598&Signature=K~4pEuHT9SeD5KKnSroBRMhWdCWT2BBZwt6OcFs5~jyLiiuEYnCwucUc9AcVfeRHHd34vf6KZjQRiRYNSfUaBlLtg3hrGW0Okoz2lew7JO-uQzJ97xBECTQ9ZV3yJKvJG84uypM7IQ4dxQyBoLP9QFt9Is-qNr~TIK1WzDdrktA_&Key-Pair-Id=APKAJUA62FNWTI37JTGQ&filename=ninja.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to reboot.pro  (136.243.24.26:80)

TCP (HTTP):
Connects to i8-h0-s1008.p12-sjc.cdngp.net  (174.35.7.70:80)

TCP (HTTP):
Connects to i2-h0-s2007.p0-pmo.cdngp.net  (174.35.82.191:80)

TCP (HTTP):
Connects to i3-h0-s2005.p0-pmo.cdngp.net  (174.35.82.162:80)

TCP (HTTP):
Connects to i1-h0-s57.p6-lhr.cdngp.net  (174.35.64.142:80)

TCP (HTTP):
Connects to i5-h0-s2011.p1-sea.cdngp.net  (174.35.53.83:80)

TCP (HTTP):
Connects to i4-h0-s56.p6-lhr.cdngp.net  (174.35.64.139:80)

TCP (HTTP):
Connects to i1-h0-s1003.p1-iad.cdngp.net  (174.35.27.94:80)

TCP (HTTP):
Connects to i1-h0-s1001.p0-mia.cdngp.net  (174.35.37.6:80)

TCP (HTTP):
Connects to 95-128-60-135.static.doratelekom.com  (95.128.60.135:80)

TCP (HTTP):
Connects to 95-128-60-134.static.doratelekom.com  (95.128.60.134:80)

Remove ninja.exe - Powered by Reason Core Security